Description: All privileged accounts and entitlements get disabled and removed based on the results of a governance process.
Benefit: Improves audit and compliance requirements. Reduces risk of breach due to too much privileged access, eliminating internal threats.
Implementation Approaches
- Automated De-provisioning Privileged Account Directly to Privileged Account Management(PAM)
- Automated De-provisioning through Directory Updates
- Automated De-provisioning Directly Triggered in the Application
- Manual process
Security Frameworks
NIST Cybersecurity Framework 1.1
- PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
- PR.AC-3: Remote access is managed
NIST SP 800-207; Zero Trust Architecture
- 3.1.1: The enhanced identity governance approach to developing a ZTA uses the identity of actors as the key component of policy creation.
- 6.3: Subject provisioning is a key component of ZTA.
| Title | Automated De-provisioning Privileged Account Directly to PAM |
| Technology Components | Identity Governance Administration (IGA) Identity and Access Management (IAM) Privilege Access Management (PAM) |
| Description | Governance System is integrated directly with PAM system. Privileged account and entitlement information can be modified directly through the PAM system where the account/entitlement either reside in PAM or can be modified through PAM (ie. PAM is integrated with the actual privileged resource and modifying PAM will lead to modification in the downstream resource). Typical HR lifecycle will act as triggers for the governance system. Events such as application changes, role changes or user departure could all lead to deprovisioning of accounts and entitlements. |
| Pre-requisites | APIs are available in PAM Relevant applications with privileged access are managed by PAM PAM is integrated with Identity Governance system Appropriate triggers have been implemented based on HR System policy or from the attestation process |
| Supporting Member Companies | BeyondTrust, Centrify, CyberArk, Fischer Identity, Okta, Omada, SailPoint, Saviynt, SecZetta, Remediant |
| Title | Automated De-provisioning through Directory Updates |
| Technology Components | Identity Governance Administration (IGA) Access Management (IAM) |
| Description | Governance System is set up to modify content in a corporate directory (AD/LDAP) where the directory objects are associated with privilege accounts and entitlements of privileged resources. Typical HR lifecycle will act as triggers for the governance system. Events such as application changes, role changes or user departure could all lead to deprovisioning of accounts and entitlements. Governance System understands the directory content (users, user attribute, groups and group membership, etc) as they are related to specific privileged applications and their accounts and entitlements. Governance System is integrated with the directory typically thru well known director interfaces to modify privileged access accordingly. |
| Pre-requisites | Relevant applications are integrated to a directory for the purpose of privileged account/entitlement management Directory is integrated with Identity Governance system allowing IGA to modify user/attribute/entitlement objects in the directory Directory is also integrated with Access Management and PAM for the purpose of authentication & authorization Appropriate triggers have been implemented based on HR System policy or from the attestation process |
| Supporting Member Companies | Fischer Identity, ForgeRock, Okta, Omada, Ping Identity, SailPoint, Saviynt, SecZetta |
| Title | Automated De-provisioning Directly Triggered in the Application |
| Technology Components | Identity Governance Administration (IGA) Access Management (IAM) |
| Description | Governance System is set up to handle provisioning and deprovisioning of privileged accounts and entitlements. Typical HR lifecycle will act as triggers for the governance system. Events such as application changes, role changes or user departure could all lead to deprovisioning of accounts and entitlements. Governance System is integrated directly with the target application(s)/system(s) containing privileged access thru programming interfaces to modify privileged access accordingly. |
| Pre-requisites | APIs are available in the applications containing privileged accounts/entitlements for deprovisioning by an API client Relevant applications with privileged access are integrated with Identity Governance system Appropriate triggers have been implemented based on HR System policy or from the attestation process |
| Supporting Member Companies | Fischer Identity, ForgeRock, Okta, Ping Identity, SailPoint, Saviynt, SecZetta |
| Title | Manual process |
| Technology Components | Identity Governance Administration (IGA) Access Management (IAM) |
| Description | Typical HR lifecycle will act as triggers for the governance system. Events such as application changes, role changes or user departure could all lead to deprovisioning of accounts and entitlements. Depending on the setup, Governance system is integrated with an internal ticketing system, email, and/or some form of collaborative system is used to generate a human workflow for app/business owners of the respective privileged systems to carry out the deprovisioning task manually. |
| Pre-requisites | Ticketing system, email and/or some form of collaborative system is integrated with Governance system Appropriate triggers have been implemented based on HR System policy or from the attestation process Users responsible for manually deprovisioning access must be given sufficient details or instructions on how to modify privileged account/entitlement information accordingly |
| Supporting Member Companies | Fischer Identity, Okta, Omada, SailPoint, Saviynt, SecZetta |
